BEIJING—Cybersecurity proposals by China have U.S. businesses worried that the draft regulations represent additional barriers to the Chinese market, a concern that could complicate U.S.-China trade talks.
The new rules and standards, floated over the past two months with little fanfare, flesh out an existing cybersecurity law that Washington and many foreign businesses already consider draconian. Some would forbid certain data from leaving China or at least slow the process of dispatching data, which would increase uncertainties and costs for business. Tough rules for procuring equipment could also place foreign products at a disadvantage.
If enacted, the measures are likely to hit a swath of American companies, including such tech manufacturers as Cisco Systems Inc., CSCO 0.71% International Business Machines Corp. IBM -0.32% , Juniper Networks Inc. JNPR 0.64% and Dell Technologies Inc. DELL 1.25% Providers of financial services and the automotive sector also could be affected.
U.S. businesses and trade groups say some of the proposals are too vague and give Chinese officials leeway on enforcement. The Cybersecurity Administration of China and the Ministry of Public Security, which are involved in the various drafts, didn’t respond to requests for comment.
The rules reflect multiple factors shaping China’s cybersecurity landscape, including growing consumer awareness over data privacy and a recent global trend of establishing new privacy rules, experts say.
China has unveiled a raft of new draft rules that worry U.S. businesses
- MLPS 2.0: Updates existing Multi-Level Protection Scheme, which grades tech products based on risk and sets out regulatory requirements
- Mandatory certifications: Compiles standards for 15 types of products, including routers and servers, that require certification to access the market
- Cybersecurity reviews: Clarifies security steps for “critical information infrastructure” operators to procure goods and services linked to national security
- Personal information collection: Limits when network operators can collect data and how it should be protected
- Personal information of children: Boosts online protections for children under 14 years old
- Security tests: Requires test results to be verified by the government before products make the “critical network equipment” list
- Data transfer: Controls how personal information can be sent out of China
- Encryption law: Updates an existing draft law that classifies the types of encryption to be used to protect state and commercial information
- Cloud services: Sets rules for cloud-service providers seeking to supply government and critical information infrastructure operators
Sources: Cyberspace Administration of China, China’s Ministry of Industry and Information Technology, TC260, New America
Even if the proposals reflect broader concerns, the timing of their release suggests Beijing is using them to show Washington it has ways to punish U.S. businesses within the context of the China-U. S. trade fight, experts said.
“These are the tools in the arsenal that can be ready to be fired,” said Samm Sacks, a cybersecurity expert at the Washington-based think tank New America.
While additional regulations had been expected following the introduction of a new cybersecurity law in 2017, Beijing seemingly held them in abeyance while trade talks with the U.S. progressed early this year. Greater access for American tech companies is a priority for U.S. negotiators, and Chinese officials showed a willingness to discuss issues related to cybersecurity.
But negotiations foundered in May, and Beijing then started releasing the new draft rules. More followed after Washington placed restrictions on Chinese telecommunications-gear maker Huawei Technologies Co.
President Trump and his Chinese counterpart Xi Jinping last month committed to restarting trade talks, with delegations set to meet this week. The proposed cybersecurity regulations could be a factor as negotiations proceed given that they would impose restrictions on American business operations and market access.
“China’s resumption of regulatory efforts signals less willingness to bow to U.S. demands in hopes of [a trade] agreement,” said Paul Triolo, head of geo-technology at research firm Eurasia Group.
The Office of the U.S. Trade Representative didn’t respond to a request for comment.
While the cybersecurity law is already in effect, Beijing is spelling out implementation measures.
The recently released drafts cover at least eight categories. Of particular concern are proposed cybersecurity reviews that operators of “critical information infrastructure” would have to go through to procure network equipment that could affect national security. The scrutiny would include a review by an interagency organization.
The draft doesn’t precisely define “critical information infrastructure” operator. China has broadly said the classification includes those with computer-network operations in telecommunications, energy, transportation, information services and finance. U.S. trade negotiators are pressing for more details.
The proposed rule also states that operators must assess risks including the likelihood of supply-chain disruption due to “politics, diplomacy and trade”—wording that policy experts say is likely in direct response to U.S. actions against Huawei.
These rules could deter Chinese companies from procuring foreign equipment if they fear the products would be subject to lengthy reviews or even get blocked, said Yan Luo, a Beijing-based attorney focused on cybersecurity policies at Covington & Burling LLP.
Another batch of rules outline steps involving security tests on “critical network equipment.”
The Ministry of Industry and Information Technology, which drafted this set of rules, said it had received feedback from foreign companies—including Cisco, IBM, Juniper, Dell, and Germany’s Siemens AG —that make network equipment such as routers, switches and servers. Any new measures would offer an open and uniform standard and “foreign technologies and products will not be discriminated against,” the ministry said.
A Cisco spokesman said the company is committed to complying with local law. Dell said it advocates for policies that enable an open and secure digital economy. An IBM spokesman said the company is “confident that we can comply with these standards.” A Siemens spokesman said the company advocates “for dialogue between all parties including regulators to strengthen trust between all stakeholders.” Juniper didn’t comment.
U.S. businesses are also concerned about changes that would restrict the outflow of personal information deemed to be a threat to national security or as harmful to the public interest.
Network operators would also be subject to a local security review over other personal data.
The combined effect of these new rules would be to increase the cost and risk of doing business in China, said Lester Ross, a Beijing-based attorney and chairman of the American Chamber of Commerce in China policy committee.
contributed to this article.
Write to Yoko Kubota at email@example.com
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8